cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Georgiev <mgeorg...@utexas.edu>
Subject Re: [Android] SecureToken/NoFrak feature addition
Date Fri, 31 Jan 2014 20:17:44 GMT
On Fri, Jan 31, 2014 at 2:14 PM, Andrew Grieve <agrieve@chromium.org> wrote:
> On Fri, Jan 31, 2014 at 3:05 PM, Martin Georgiev <mgeorgiev@utexas.edu>wrote:
>
>> On Fri, Jan 31, 2014 at 1:22 PM, Andrew Grieve <agrieve@chromium.org>
>> wrote:
>> > cordova.js goes in you <head>. I don't see how an iframe could get loaded
>> > before it.
>>
>> An iframe can load an independent modified cordova.js into its own origin.
>>
>
> Right, but it's the order that matters, no? I'm arguing that an iframe
> couldn't do that *before* the main frame does.

Sure, but what I'm saying is that if JavaScript can hand a SecureToken
to native side, then there's nothing to prevent an attacker from
exploiting the bridge. Moreover, before you start protecting the
bridge it will be unprotected. So, the act of handing a SecureToken to
native side would be over an unprotected bridge.

Mime
View raw message